Author Topic: Siglent .ads firmware file format  (Read 172018 times)

0 Members and 3 Guests are viewing this topic.

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 368
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #125 on: June 13, 2018, 05:28:26 pm »
Replacing the shadow file wasn't very hard to do so let's test this method

SDS1004X-E_OSV1_EN_eevblog.zip
 
The following users thanked this post: CustomEngineerer, W9GFO

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #126 on: June 13, 2018, 07:04:28 pm »
[000A09D6-000A0AAC]  CRC32: F48E57F1  DecompSize: 000000F9  ADLER32: 91C34AE7 - ZLIB_ADLER32_OK

You did a binary replacement?

Edit: It seems you did. That should do the job! :)

New one:
[000A09D6-000A0AAC]  CRC32: C7E44B26  DecompSize: 000000F9  ADLER32: 9A234C07 - ZLIB_ADLER32_OK
« Last Edit: June 13, 2018, 07:09:42 pm by tv84 »
 

Offline ian.ameline

  • Regular Contributor
  • *
  • Posts: 73
  • Country: ca
Re: Siglent .ads firmware file format
« Reply #127 on: June 13, 2018, 07:35:07 pm »
Replacing the shadow file wasn't very hard to do so let's test this method

SDS1004X-E_OSV1_EN_eevblog.zip

Ok -- that copied over to the scope and boots up!
And I can log in as root via telnet!

Let the exploring begin...
 

Offline ian.ameline

  • Regular Contributor
  • *
  • Posts: 73
  • Country: ca
Re: Siglent .ads firmware file format
« Reply #128 on: June 13, 2018, 08:54:32 pm »
It's pretty interesting -- with cursors on, fft active with 1mpts, and measure all active, and the web interface going, you can saturate both CPUs on the machine... (load Avg of 1.94 in top)
But with just viewing a waveform, it's very lightly loaded -- under 5%.

Even with those features activated, it's using around 52% of the cpu RAM. (256Meg)



 

Online markus_jlrb

  • Regular Contributor
  • *
  • Posts: 140
  • Country: de
Re: Siglent .ads firmware file format
« Reply #129 on: June 14, 2018, 05:50:42 am »
Dears,

fantastic news, would be a big fafor if you could do this for the sds2204X model fw too.
I'm working on this too since few days but my learning process is still evolving with small
progress.

I follow your descriptions concerning the reverse of the binary fw file and now working on
the extraction of the ziped parts to extract the shadow file in order to find the root pw.

But your progress is more effective und leads perhaps faster to a fw mod.
Is it true that the telnet daemon had first to be activated in order to be able to use it or dose
he run continuously. Nmap did not show the port 23 active in my device.

By the way I'm also interested in a mod fw file for the sdg6022x iq generator.

Any help that brings me closer to my goal of option activation is apreciated.

Many thanks in advance for your help.

Markus

 
 

Online markus_jlrb

  • Regular Contributor
  • *
  • Posts: 140
  • Country: de
Re: Siglent .ads firmware file format
« Reply #130 on: June 14, 2018, 08:17:27 am »
@janekivi

could you please confirm that my understanding of your FWF conversion/decryption
is right or correct it if I made an error.

1) first step is turn the .ads file around (or look it backwards)

2) XOR FF it with pattern bytes 0, 1, 3, 6, A, F and so on - space increasing by 1 <== could yo please explain 0,1,3,6,A,F...

3) XOR FF it from center (file length - 72)/2 as file have 72 byte header (now at the end) <== XOR every FW byte with FF - right?

So I extract your description and wrote my own Python script that do the tree actions like listed below:

Reverse FW File:
=============
according to  outfile.write(bytes(byte_list[::-1]))


First XOR:
=========
a = 0
i = 0
j = 0
i = len(b)
while j < i:
    b[j] ^= 0xFF
    j = j + a + 1
    a = a + 1

Second XOR form Pos len(b)/2-36:
================================
i = len(b)
j = len(b)/2-36
while j < i:
    b[j] ^= 0xFF
    j = j + 1


Thanks for your effort and helpfull hints.

Markus
« Last Edit: June 14, 2018, 08:20:01 am by markus_jlrb »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #131 on: June 14, 2018, 08:45:20 am »
Markus,

msg 99 of this thread:

https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1335892/#msg1335892

You have the parsing of all files. You can see there some indication about the half-file to xor for question 3.

Your 2nd step is correct.

Before 1st step you could(should) parse the file header. But, since you can't decrypt yet...

After doing the xor-deobfuscation you will be able to extract the shadow but you can't reconstruct the zip file because of the encrypted areas... you need to tackle the decryption.
 

Online markus_jlrb

  • Regular Contributor
  • *
  • Posts: 140
  • Country: de
Re: Siglent .ads firmware file format
« Reply #132 on: June 14, 2018, 11:03:41 am »
@tv84,

thanks for your repley,

but I'm a bit confused about the ads. fw file checksum issue.

According to the thread #99 the FW file

SDS2000x_1.2.2.2R10.ADS  CRC32: FBD42874

has the above checksum, but

according to the python fragment listed in thred #74
that I included in my script, see below,

>./ads_fwf_checksum.py SDS2000x_1.2.2.2R10.ADS
ED2FE8CD - 32 bit checksum
      CD -  8 bit checksum

>cat ./ads_fwf_checksum.py
#! /usr/bin/python3

import sys, os, shutil
import functools

input = sys.argv[1]

data = bytearray(open(input, 'rb').read())

csum = functools.reduce(lambda x,y: x+y, data, 0)
csum = ~csum + 1
csum = csum & 0xffffffff # the only difference is here
print (format(csum, 'X'),"- 32 bit checksum")
csum = csum & 0xff # the only difference is here
print ("     ",format(csum, 'X'),"-  8 bit checksum")


the checksum differs <== ????

Have you an idea whats wrong?


Thanks

Markus
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #133 on: June 14, 2018, 11:32:07 am »
When I mention:

SDS2000x_1.2.2.2R10.ADS  CRC32: FBD42874

is just for a integrity check of the ADS in question.

It's calculated with the general CRC-32 algo and it's 100% correct. Maybe you are not implementing the right CRC-32. There are plenty of options, I don 't know if you are aware of.

http://www.sunshine2k.de/coding/javascript/crc/crc_js.html

It's the first option of CRC32.
 

Online markus_jlrb

  • Regular Contributor
  • *
  • Posts: 140
  • Country: de
Re: Siglent .ads firmware file format
« Reply #134 on: June 14, 2018, 02:45:54 pm »
@tv84,

>./ads_fwf_checksum.py SDS2000x_1.2.2.2R10.ADS
ED2FE8CD - 32 bit checksum
      CD -  8 bit checksum
FBD42874 - 32 bit checksum
      74 -  8 bit checksum

now the crc32 result looks ok.

I had used the crc32.py module from
https://github.com/StalkR/misc/blob/master/crypto/crc32.py

After replacement of "ord(c)" by "c" as the read function fetch
a byte stream, I was able to calc the crc32 sum of the .ads fwf.

Thanks
Markus

>cat ./ads_fwf_checksum.py
#! /usr/bin/python3

import sys, os, shutil
import functools
from crc32 import CRC32

input = sys.argv[1]

data = bytearray(open(input, 'rb').read())

# Or data can be declared directly
# data = bytes([0x02,0x00,0x00,0x04,0x00,0x00]);

csum = functools.reduce(lambda x,y: x+y, data, 0)
csum = ~csum + 1
csum = csum & 0xffffffff # the only difference is here
print (format(csum, 'X'),"- 32 bit checksum")
csum = csum & 0xff # the only difference is here
print ("     ",format(csum, 'X'),"-  8 bit checksum")

csum2 = CRC32().calc(data)
print (format(csum2, 'X'),"- 32 bit checksum")
csum2 = csum2 & 0xff # the only difference is here
print ("     ",format(csum2, 'X'),"-  8 bit checksum")
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 368
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #135 on: June 14, 2018, 04:22:08 pm »
 :-//
I don't have a clue what you are doing here...
but one day I made SDS file viewer and unpacker and app converter and after that
you can unpack program part from that app with offzip. Packed region is starting
from 0000dbd4 and then you have unpacked BlackFin code with which I don't know
what we gonna do...

I start looking it here
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1061594/#msg1061594
and latest app is there
https://www.eevblog.com/forum/testgear/siglent-ads-firmware-file-format/msg1208443/#msg1208443
 

Online markus_jlrb

  • Regular Contributor
  • *
  • Posts: 140
  • Country: de
Re: Siglent .ads firmware file format
« Reply #136 on: June 15, 2018, 07:07:33 am »
@janekivi

I try to reproduce your steps in .ads FW reassembling.
One of them was to calculate the CRC32 properly.
The others to understand the .ads file format.
Due to your excellent prework I hope to create me
own tools.
 
I was aware of the tools you provided, but I had no luck
till now to use them under wine (Linux OS) due to missing
Libs. (I'm not sure if your Code could be ported to Mono,
the linux Version of Net-Environment)

Thanks for your replay.

Markus





 

Online markus_jlrb

  • Regular Contributor
  • *
  • Posts: 140
  • Country: de
Re: Siglent .ads firmware file format
« Reply #137 on: June 21, 2018, 04:16:42 pm »
@janekivi
@tv84,
and all,

how to proceed after I had extract the Part1..5+7 from the
.ads FW file with the sds_ads.exe tool.

How to extract and mod the shadow file to enter his own
hash for the root account and how to pack all parts together
to get again a .ads FW file?

Some helpful hints will be appreciated.

Many thanks in advance for this effort.

Markus 
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #138 on: June 21, 2018, 05:29:48 pm »
@janekivi
@tv84,
and all,

how to proceed after I had extract the Part1..5+7 from the
.ads FW file with the sds_ads.exe tool.

How to extract and mod the shadow file to enter his own
hash for the root account and how to pack all parts together
to get again a .ads FW file?

Some helpful hints will be appreciated.

Many thanks in advance for this effort.

Markus

" Part1..5+7" exist in files where, I think, are not relevant to your "shadow" quest.

Usually the shadow file exists inside a ZIP in the ADS. So, you decrypt the ADS, extract the zip and replace shadow.

You can generate the shadow file in linux or manually hash the passwords.

Then, it's the reverse process all the way:

Compress the zip with the new shadow file.
Encode the zip in a ADS, placing headers, xoring and encrypting...  Maybe janekivi tool does this... Don't remember.

I advise you to not flash a "handmade" ADS before me or janekivi do a small validation test. Just to decrease the risk of having any packing error...

Look at my parsings list and see where the shadow files exist.

« Last Edit: June 21, 2018, 05:32:13 pm by tv84 »
 

Online markus_jlrb

  • Regular Contributor
  • *
  • Posts: 140
  • Country: de
Re: Siglent .ads firmware file format
« Reply #139 on: June 21, 2018, 06:25:54 pm »
@tv84,

but where can I find the block with the fw file system.
How to read/interpret your listing, see attached file that I
cut & paste from your recent fw summary.

Markus
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #140 on: June 21, 2018, 07:54:03 pm »
@tv84,

but where can I find the block with the fw file system.
How to read/interpret your listing, see attached file that I
cut & paste from your recent fw summary.

Markus

Oh, I see your problem!

The example that you provide is a SDS2000X file. Not a SDS2000X-E file!

This scope has a Blackfin proc and several FPGAs.

The X-E has an ARM proc. The structure of ADS is completely different, although the basic encryption envelope is pretty much the same.

You don't have a shadow file in the X version because it doesn't have a "file system" and/or linux environment.

Which is the equipment that you want to "analyze"?
 

Online markus_jlrb

  • Regular Contributor
  • *
  • Posts: 140
  • Country: de
Re: Siglent .ads firmware file format
« Reply #141 on: June 21, 2018, 08:15:00 pm »
Oh,

what's a pity.

So I have to start to analyze from the beginning and
make my own experience and tools.

Thanks for your explanation concerning teh X and X-E
model suffix.

Markus
 

Online tautech

  • Super Contributor
  • ***
  • Posts: 28136
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Siglent .ads firmware file format
« Reply #142 on: June 21, 2018, 08:22:41 pm »
@tv84,

but where can I find the block with the fw file system.
How to read/interpret your listing, see attached file that I
cut & paste from your recent fw summary.

Markus

Oh, I see your problem!

The example that you provide is a SDS2000X file. Not a SDS2000X-E file!

This scope has a Blackfin proc and several FPGAs.

The X-E has an ARM proc. The structure of ADS is completely different, although the basic encryption envelope is pretty much the same.

You don't have a shadow file in the X version because it doesn't have a "file system" and/or linux environment.

Which is the equipment that you want to "analyze"?
I think markus has misunderstood your question.
See here:
https://www.eevblog.com/forum/testgear/siglent-sds2204x-mods/
Avid Rabid Hobbyist
Siglent Youtube channel: https://www.youtube.com/@SiglentVideo/videos
 

Offline janekivi

  • Frequent Contributor
  • **
  • Posts: 368
  • Country: ee
Re: Siglent .ads firmware file format
« Reply #143 on: June 21, 2018, 08:29:52 pm »
In other words, crypted-reversed-COR-ZIP files you must process to get files,
but in SDS1000X, SDS2000 and SDS2000X firmware you have plain files.
(except part 5 what is BlackFin app and bit obfuscated or so)
So those part 1...5 and 7 are the plain files what scope is using. I haven't given them names
but TV84 probably know better what files they are - FPGA, APP, ... (no LINUX there)
That's what SDS ADS files my SDS file viewer is made for. I haven't done repack utility yet...
 

Online markus_jlrb

  • Regular Contributor
  • *
  • Posts: 140
  • Country: de
Re: Siglent .ads firmware file format
« Reply #144 on: June 21, 2018, 08:41:12 pm »
@janekivi,
@all,

make it sense to analyze the fw parts sds_ads tool generate with IDA-Pro?
And if so are there templates/addons/extensions that could be used for this
purpose?

Markus



 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Siglent .ads firmware file format
« Reply #145 on: June 21, 2018, 09:09:40 pm »
Markus,

I think you don't need to reinvent the wheel but... you know better.

If you want to reverse the SDS2000X Blackfin block, you can extract it with janekivi tool and them load the Blackfin plugins in IDA and analyze the code. It will be a  hard job because there's no decompiler to help you. And unless you have BF expertise...  Blakfin code is not ARM code...

But, of course, it is possible to do and, at least, produce a upgrade patch (since that seems to be your ultimate goal). Not the cleanest of the solutions but nobody here is looking for perfection.

 

Offline SMB784

  • Frequent Contributor
  • **
  • Posts: 421
  • Country: us
    • Tequity Surplus
Re: Siglent .ads firmware file format
« Reply #146 on: June 30, 2018, 02:28:14 pm »
So if I am starting from a stock SDS1104X-E with stock, out of the box (not updated) firmware, what is the step by step process for updating the oscilloscope to the latest firmware while also getting access to or changing the root user password for the scope?

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 4060
  • Country: fi
  • Born in Finland with DLL21 in hand
Re: Siglent .ads firmware file format
« Reply #147 on: June 30, 2018, 03:46:22 pm »
So if I am starting from a stock SDS1104X-E with stock, out of the box (not updated) firmware, what is the step by step process for updating the oscilloscope to the latest firmware while also getting access to or changing the root user password for the scope?

If your scope system info show out from box:
FW 7.1.6.1.25R2
or
FW 7.1.6.1.25R1
(this 1, here colored red, it tells that OS V1 is installed.)
then  B  else A

A
Update latest FW and OS (if not already out from box).
SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18 )
SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18 )
These both can download from Siglent official side. Inside these both packages (zip) there is also instructions.


B
Then: https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639

« Last Edit: June 30, 2018, 04:01:56 pm by rf-loop »
I drive a LEC (low el. consumption) BEV car. Smoke exhaust pipes - go to museum. In Finland quite all electric power is made using nuclear, wind, solar and water.

Wises must compel the mad barbarians to stop their crimes against humanity. Where have the wises gone?
 

Offline SMB784

  • Frequent Contributor
  • **
  • Posts: 421
  • Country: us
    • Tequity Surplus
Re: Siglent .ads firmware file format
« Reply #148 on: June 30, 2018, 06:51:49 pm »
So if I am starting from a stock SDS1104X-E with stock, out of the box (not updated) firmware, what is the step by step process for updating the oscilloscope to the latest firmware while also getting access to or changing the root user password for the scope?

If your scope system info show out from box:
FW 7.1.6.1.25R2
or
FW 7.1.6.1.25R1
(this 1, here colored red, it tells that OS V1 is installed.)
then  B  else A

A
Update latest FW and OS (if not already out from box).
SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18 )
SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18 )
These both can download from Siglent official side. Inside these both packages (zip) there is also instructions.


B
Then: https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639

Thanks!
« Last Edit: July 01, 2018, 12:29:38 am by SMB784 »
 

Offline BillB

  • Supporter
  • ****
  • Posts: 615
  • Country: us
Re: Siglent .ads firmware file format
« Reply #149 on: June 30, 2018, 11:41:03 pm »
Thank you, but I think my main question has to do with how you log in as root. I assume there is a root password, and I'm under the assumption that it is not something known it easily guessed, so how do I install the software update so that I can either know or set the root user password?

SMB784, are you asking how you interface with the unit?  You'll need to telnet into the device through the ethernet connection.  As rf-loop said, it depends what your current firmware version is.  This determines the path you need to take.  The firmware is upgraded by copying files to a USB flash and following the on-device menus.

Once you have an updated firmware, you need to load the special OS build found in the message that rf-loop mentioned in B above.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf